Q) Where do valid activities for each authorization Objects are stored?A) In the table TACTZ

Q) How do I identify pre-defined roles and what is their use?A) Pre-defined roles begin with the prefix “SAP_”. These roles are used as templates for creating customized roles.

Q) Can we assign pre-defined roles to a user? If so, how?A) No, never assign a role to a user. If at all you want to, then first make a copy of pre-defined role and then add the user to the role.

Q) Is a role without Auth-profile considered as complete or not?A) No

Q) What are the types of roles?A) Roles are 2 types 1) Parental Role 2) Derived / Base Role

Q) What is the relationship between parent and derived roles?A) In Parent role we maintain the list of Transaction Codes whereas in derived role we assign the parent role name so that an inheritance hierarchy is being maintained and hence the transactions are automatically pulled into derived roles.

Q) What are the total numbers of activities?A) As per 4.7 total number of activities=16801 – 99 = ActivitiesA1 – VF = 69

Q) What is the default authorization object which is used to check for any role?A) S_TCODENote:1) We cannot edit S_TCODE object in a Role. The only way to add a transaction code is in parent role.2) First time while creation of a new role, if any functional related Transactions are added in a role, and then we have to maintain organization level in a popup.3) Red color indicates missing organizational values4) Yellow indicates missing field values and not organizational values.

Q) Why should we not add organizational values directly in a role without using org levels button?A) Value maintenance using directly no longer changes values i.e. whenever we try to add a new value and generate, an empty field appears i.e. when adjusting derived roles authorization value is overwritten.

Q) Why do I need to add a role to transport?A) All the changes to the roles are done in development box and move to production. If I delete a role in dev box, the same role has to be deleted in prod because these roles are finally used by the users in prod box only. Hence the deleted role needs to be transported. Go to PFCG select the role to be deleted. Keep the role in a transport by selecting transport role button.

Q) Unlock a user or track why the user is being locked?A) Go to SU01 -> Enter the user ID -> Log on data and check the user is locked. Go to SUIM -> Change docs for user -> Enter the user name and execute

Q) Where do the default value in a Role comes from i.e. activities under auth object?A) Tables USOBX_C and USOBT_C are the tables, that control the behavior of profile generator after the trans has been selected.

Q) What is single sign-on? 1) Single sign-on, through which we create credential. Third party tool Eg: Keon, later on logon to SAP without entering any credentials. 2) We can even logon through internet using SSO. 3) SSO is represented in form of SNC (Secured Network Connection) string for the SNC String to be activated we need to configure certain DLL files at OS files. 4) Once we confirm DLL files then we need to go to SAPGUI, select one server, go to properties network and check the secure network settings and enter the SNC string.

Q) What are the Steps to Configure CUA? CUA works with RFC’s steps to config CUA. 1) Create logical systems to all the clients (using BD54/SALE) 2) Attach logical system to clients using SCC4 3) Create user CUA_SID in central system with 3 roles and create user CUA_SID_CLIENT <number>/name in child system with 2 roles. 4) Create RFCS to child systems from central and central to child using SM59 5) Log on to central system using SCUA to config CUA (Central User Admin) 6) Enter the model view and enter all child system RFC’s

Q) If all the users are locked mistakenly, how do we connect to SAP system?A) Follow the steps Step 1) Go to OS level and execute the following SQL scripts after connecting to Oracle DB Select * from <Application Server name>.USR02 where bname=’SAP*’; Delete from <Application Server name>.USR02 where bname=’SAP*’; Step 2) Then Login using SAP* user Step 3) Go to EWZ5 or SU10 transaction code and unlock all the users.